On Sun, Nov 04, 2012 at 02:51:32AM +0100, Erwin Schliske wrote: > Hello, > > I've now updated my gateways to 5.2 and have tested again. > > If I start isakmpd in foreground mode with > > isakmpd -K -d -S > > and sasyncd in foreground mode with > > sasyncd -d -v > > and this sasyncd.conf > > peer x.x.x.x > interface carp0 > control isakmpd > sharedkey xxxxxxxxxxxxxxx > > the tunnel never comes up. isakmpd stays in passive mode, even the output > from sasyncd says that it is the master. > > If I start isakmpd with > > isakmpd -K -d > > the tunnel comes up in seconds. > > > Any idea?
I think you already got a hint from mikeb. http://marc.info/?l=openbsd-misc&m=135144572426640&w=2 -Otto > > > Regards, > Erwin > > > > Hello, > > > > Thanks for all responses. The hints like pinging not from gateway but from > > the network, debug mode and so on were checked by me before I sent the > > email to this list. Also is to mention that the tunnel which makes trouble > > is not the only one on the gateway. Other tunnels work without problems. > > > > But now I have figured out what I have to change to bring up the tunnels > > after loading the config with ipsecctl. > > > > I have to disable sasyncd, which if enabled causes to start isakmpd with > > parameter S. If isakmpd starts without this parameter the tunnels come up > > and work smoothly. > > > > So the question. Is this a know behaviour, that isakmpd switches to passive > > if sasyncd is enabled? Or is this a bug? > > > > > > Thanks. > > > > Erwin > > > > Am 02.10.2012 um 11:01 schrieb Janne Johansson <icepic...@gmail.com>: > > > >> 2012/10/1 Erwin Schliske <erwin.schli...@sevenval.com>: > >>> Hello, > >>> > >>> I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish > >>> is > >>> with a Cisco ASA 5505, which is not under my administration. > >>> > >>> Here is the ipsec.conf > >>> > >>> ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } > >>> to { > >>> 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \ > >>> peer a.b.102.219 \ > >>> local c.d.3.254 \ > >>> main auth hmac-sha1 enc 3des group modp1024 \ > >>> quick auth hmac-sha1 enc 3des group none \ > >>> psk password > >>> > >>> If I try to ping one host on cisco side from OpenBSD side the tunnel > >>> doesn't > >>> come up. If I look with tcpdump on the external interface or in the > >>> tcpdump > >>> logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping > >>> from > >>> the Cisco side an host on OpenBSD side the tunnel comes up. In the > >>> logging of > >>> isakmpd I see this loglines > >> > >> "from the X side", does that mean you try to ping from the openbsd, > >> OR, from one of the networks listed in the from-line? > >> One of the common mistakes is to test from the ipsec-gw itself and not > >> accounting for the fact that the ipsec.conf lines mostly are > >> "to talk from net A to net B, host X will do ipsec to peer Y". In such > >> a case, testing from host X will not go through the tunnel, since the > >> rule is "from net A". > >> Most of the time the host X has a leg on net A and can "ping -I > >> my-ip-at-NetA dest-on-net-B" but not always. > >> > >> Then again, since active esp is the default for ipsec.conf when you > >> write "ike esp ...", it should start trying to set the tunnel up as > >> soon as you load the rules, and not wait until packets want to > >> traverse it. > >> > >> -- > >> To our sweethearts and wives. May they never meet. -- 19th century toast
